CONTROLLED PROXY SECURE END TO END COMMUNICATION 
BACKGROUND OF THE INVENTION 
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1. Field of the Invention 

This invention relates to digital communication, and in particular to secure 
communication using cryptographic techniques. 

2. Description Relative to the Prior Art 

Communication security continues to be one of the major concerns in network 
10 applications. Many mechanisms have been developed to improve the security of communication 
3 over the Internet. For example, IP Security (IPSec) implements security mechanisms in the 
Internet Protocol (IP) to provide a general purpose transparent solution to upper layer 
applications. Secure Socket Layer (SSL) or Transport Layer Security (TLS) implements security 
mechanisms on top of TCP for HTTP, SMTP and FTP. Other application specific protocols like 



□5 PGP, PEM and S/MINE for secure emails, Kerberos for authentication service and Secure 
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Electronic Transaction (SET), are also available to provide application specific services. These 
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security services mainly are designed for TCP/IP networks and client/server computation 
paradigms. They assume that users have adequate computation resources, including hardware, 
software and communication bandwidth to carry out the required operations. Wireless network 
20 users who communicate with simple handheld devices or end user users who travel away from 
their computer/network base, may not have adequate computation resources , and therefore 
temporarily lose the support of home based security services. 
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Secure end-to-end communication requires that the communicating parties verify each 
other's claimed identity, and to establish a session key for message encryption and decryption after 
a successful mutual authentication. This session key can be derived from a shared secret through 
challenge-response interactions. The shared secret can be a short password as used in the 
Encrypted Key Exchange (EKE) protocols, but usually it is a long random bit sequence, ranging 
from 64 to 256 bits, which is hard to remember. Since one may want to have secure 
communications with many others, it is almost impossible for one to share a different secret with 
all potential communicating partners. 

A more suitable approach is to derive the session key through the use of key agreement 
protocols based on private key/ public key and digital signature techniques known in the art. 
However, such private key/ public key techniques entail expensive encryption/decryption 
operations, and require additional software support for verification of certificates and digital 
signatures. This is feasible for computer users having sufficient computation power and 
bandwidth, but for mobile stations, this approach becomes impractical. Computation of the 
session key and verification of signatures and certificates require significant memory space, 
hardware and power capabilities. A end user device, such as a PCS phone is limited in these 
essentials, and more importantly, with limited bandwidth the delay in execution of the required 
programs would be intolerable. 

The present invention is directed towards solving the above problems by providing 
apparatus and a method for overcoming the obstacles to providing secure session keys for 
transmissions between end users having various levels of computing power. 




The public key/private key, digital signature protocols referenced above are described in 
the Background of the Disclosure of U.S. Patent Number 4,405,829 issued in the names of 
Rivest et al, and is hereby incorporated by reference. 

5 SUMMARY OF THE INVENTION 

The present invention discloses apparatus and a method for end-users requiring secure 
communication but not having adequate computation power, bandwidth or power supply 
capacity to implement the necessary security protocols. Two end-users, employing 
communication devices subject to such constraints, may engage in secure communication by 
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^ffio delegating the execution of the required complex computation, certification and authorization 
protocols to proxies not subject to these limitations. In the preferred embodiment, two certified 
proxies have the computation power to perform real time calculations necessary to generate a 
session key for valid communication between the end users over a standard communication 
channel. Each end user will then communicate by encrypting and decrypting their messages by 

+5 means of the generated session key. The resultant session key is a binary string of l's and O's, 
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« u and is symmetrically used by each of the end users. The device at the sending end has sufficient 
computation ability to implement the Data Encryption Standard (DES) by applying the generated 
session key to the outgoing message for encryption, and the receiving end device is capable of 
applying the session key to the data stream in conjunction with DES decryption to recover the 
20 message. It will be appreciated that the proxies carry the burden of authenticating the mutual 
transmissions to insure the end users, and each other, that the transfers of information in the 
process of generating the session key, are secure . Digital signatures, encrypted sensitive data, 
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and challenges and responses further insure that the parties are the valid participants. This 
procedure for generating the session key by utilizing the power of proxies provides end users 
with an effective security environment. In a second embodiment, where one of the end stations 
has adequate capability for computation and authentication, a single proxy is employed to 
5 interface with the end user not having the necessary capability. 

BRIEF DESCRIPTION OF THE DRAWINGS 
The invention will be described with respect to the figures of which: 
Fig. 1 is a block diagram of the apparatus of the invention, 
Fig. 2 is a flow diagram of information generated by end user station- 1 for transfer 
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JjO to proxy 1, 
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In Fig. 3 is a flow diagram of information generated by proxy- 1 for transfer to proxy- 
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2, 

Fig. 4 is a flow diagram of information generated by proxy-2 for transfer to end 



[f\ user station-2, 

L45 Fig. 5 is a flow diagram of information returned from end user station-2 to proxy- 
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H 2, 

Fig. 6 is a flow diagram of information returned from proxy-2 to proxy- 1, 

Fig. 7 is a flow diagram of information returned from proxy- 1 to end user station- 

1, 

20 Fig. 8 is a flow diagram of processing information by end user station- 1 to 

generate the session key, 

Fig. 9 is a block diagram of a second embodiment of the invention, and 



Figs. 10-18 are flow diagrams for the second embodiment of the invention wherein 
one end station is capable of session key computation and authentication, and the second end 
station is limited in such capability, precluding its ability to folly effect the required computations 
necessitated by the invention. Note that a user can instruct an end user station to change its 
behavior. For example, a desk top computer capable of performing signature and identity 
verification may be instructed to act like a handheld device that needs the help of a proxy to 
establish a secure end-to-end communication with another end user station. Therefore, a proxy 
does not exactly know the machine that it is serving is a desktop computer or a handheld device. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 
Referring to Fig. 1, an originating end user station ,10 ,initiates action to establish secure 
communication over network ,14, with a terminating end user station 12. Secure communication 
requires the derivation of a common session key between end user station 10 and end user station 
12 which will be used to encrypt and decrypt the messages between end user stations 10,12, and 
mutual authentication that the communicators are who they say they are. However, the computing 
power, memory capacity and supply power of the end user stations 10, 12, (which may be 
portable devices), may not be sufficient to carry out the computer operations necessary to 
generate the required session key and the authentication. End user stations 10, 12 , therefore, can 
establish, respectively, their servers as proxies 16, 18 . Servers 16, 18, may be telephone service 
providers or Internet service providers , and they have the necessary hardware and software 
capability to assume the burdens of computing the required session key, and more importantly, to 
act as intermediaries in determining the authenticity of the end user stations, 10, 12, and proxies 



16, 18. This relationship requires the establishment of trust between the end user station 10 and 
its proxy 16, and between end user station, 12, and its proxy 18. Each proxy 16, 18 is entrusted 
to authenticate of its respective client 10,12, and this requires that the certificate, obtained from a 
recognized Certificate Authority be in the proxy's possession. Additionally, in communications 
5 between the proxies 16,18, the end user stations 10, 12, rely on the proxies 16, 18 to use public 
and private security keys, in accordance with procedures known in the art, to provide secure 
transmissions, including valid digital signatures, in the inter-proxy communications required to 
compute and validate the messages for their clients, end user stations 10,12. End user stations 
10,12 use confidentially maintained passwords in their respective interactions with their proxies 
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16, 18. 
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l[j The derivation of the session key requires extensive computations in a Galois field G(P), 

f f Z where P is a large prime such that P-l does not consist entirely of small factors. For example, P 
[~ may be a prime wherein 2 511 <P<2 512 ' and P is generated by g , a primitive root of P . A primitive 
in root of P is one whose powers generate all the integers from 1 to P-l; that is, g mod P, g mod 

Hs P,....,...g P1 mod P are all distinct, and consist of the integers from 1 to P-l . The value of g and P 
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^ may be known in advance to the four parties involved in the derivation and use of a session key. 
All computations are performed mod P. 

An essential feature of the present invention is that after each interchange of information, 
confirmation of the origin of the information by means of challenges and responses, as well as 
20 valid identity authentications takes place, as will be explained in detail below. 

Referring to Fig. 2, the generation of the session key formation is initiated by end user 
station- 1, 10, by selection, 20, of a secret number xi , and computing ,22, an ephemeral key g xl . 

6 



It then encrypts ,24, using its password shared with proxy- 1, 16. It also generates, 26 , an end to 
end challenge, ci , to end user station-2, 12, and generates, 28 , a challenge, m, to proxy- 1, 28. 
End user station- 1, 10, transfers, 30, to proxy- 1, 16, g xl encrypted with end user station- Ts 
password, and challenge rn to proxy- 1, 16 and challenge ci to end user station-2, 12, in the 



Proxy- 1, 16, and proxy-2, 18, each have their own public key which has been certified by 
an independent Certification Authority. Therefore the proxies, 16, 18 have the authority to 
compute digital signatures for their messages. This capability is utilized in the next step of 
forming the session key to be used by the end user stations 10, 12. 



l 0 with password-1 (PWi), end to end challenge Ci, and end user station- 1, 10, challenge to proxy- 1, 

p 16, rn. Proxy- 1, 16 , decrypts, 34, the password-1 (PWi) encrypted ephemeral key g xl , storing, 

a 36, it and the challenge rn. Proxy-1 then picks its secret number yi and computes, 38, g x y . 

m 

in Proxy-l, 16, concatenates d, 39, with g xlyl resulting in (g xlyl || Ci ), then digitally signs, 40, with 

Hs its own private key the partially calculated session key g xlyl concatenated with ci . 



A (Concatenation of a with b is displayed as a || b.) It finally retrieves, 42, its certificate from 
storage, and transmits, 44, signed (g xlyl ||ci), and its certificate to proxy-2, 18. 

Referring to Fig. 4, proxy-2, 18 receives ,46 , the signed g xlyl , end-to-end challenge ci, 
and proxy- Vs , 16, certificate. Proxy-2, 18, checks , 48 ,the received digital signature and 
20 certificate, and verifies that it, in fact ,is from proxy- 1,1 6. If the verification fails, an error 

message is returned 50 to proxy-1 and the protocol is stopped. If the verification succeeds, proxy- 
2, 18, picks its secret numbers y 2 and u 2 , and computes g xlyly2 and g" 2 . The computed g" 2 is a 
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clear. 




Referring to Fig. 3, proxy-1, 16, receives,32, from end user station- 1, 10, g xl encrypted 
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interim key for later use with end user station-2, 12. Proxy -2, 1 8, encrypts, 54, g xlyly2 and g" 2 
with end user station-2's, 12, password, PW2 and selects a challenge r 22 to end user station-2. 
Proxy-2, 18, then sends 58 the encrypted information PW 2 (g xlyly2 || g" 2 ) , r 22 , Ci to end user 
station-2, 12. 

Referring to Fig. 5, end user station-2, 12, uses ,60 ,its password PW2 to decrypt proxy- 
2's, 18, message, recovering g xlyly2 and proxy-2's interim key g" 2 . End user station -2 picks , 62 
,its secret number x 2 , and computes, 64 ,K= g xlyly2x2 , which is the end-to-end session key, and 
also computes, 64 , K 2 = g" 2 * 2 , a local session key for communications with its proxy-2, 18. It 
selects, 66, a challenge to proxy-2, 18, r 2 i, and a challenge to end user station- 1, 10, c 2 . It then 
responds to proxy-2, 18, by sending, 68, to proxy-2, 18, using the interim key, K 2 , the encryptd 
message K 2 (r 22 1| r 2 i), and sending, 70, the message K(c 2 1| c,). It also forwards , 72, g* 2 to proxy- 
2. 

At this point it will be appreciated that the session key K has been sequentially computed 
by contributions of secret numbers from each of the participants, but the end-to-end session key K 
is only in the possession of end user station-2, 12. Starting with g* 2 being transferred back to 
proxy-2, 18, the end-to-end session key, K, will be recalculated using the same contributions in 
reverse from each party until the end-to-end session key K is re-generated by end user station- 1, 
10. These reverse direction calculations will also be accompanied by authentication and 
confirmation of the identities of the parties involved. 

Referring to Fig. 6, proxy-2, 1 8, computes ,74, the local session key K 2 =g u2x2 which 
allows proxy-2, 18 to decrypt, 76, end user station-2 f s,12, encrypted K 2 (r 22 ||r 2 i). The next step is 
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deciding ,72, whether its challenge r 22 is present. If r 2 2 is not returned by end user station-2, 12, 
proxy-2,18, stops the protocol and sends 80 error messages to the other parties so advising them. 
If r 22 is present , the protocol is continued and proxy-2, 18, computes Cg" 2 )* 2 , where y2 is in 
storage from previous steps in the protocol. Proxy-2, 18, then digitally signs, 84, g" 2 * 2 , and sends 
5 86, the digital signature of g" 2 * 2 and its certificate to proxy- 1,16, along with end user station-2's 
end-to-end challenge and response pair K(c 2 1| Ci). 

Referring to Fig. 7, proxy- 1,16, receives digital signature of g" 2 * 2 from proxy-2, 1 8, and 
verifies, 88, whether the signature is legitimate. If not, it stops, 89, the protocol and advises the 
f=s parties of the failure of the protocol. If the digital signature is legitimate, it chooses a secret 
m number u, and computes ,90 , g ul . It also computes,92, (g x2y2 ) yl from its own secret yi and the 

*i? * 

received g* 2 * 2 and also computes , 94 , Ki=g xlul , which is a local session key for communication 

M 

2 with end user station- 1 , 1 0. A challenge is generated, 96, ri 2 , for challenging end user station- 1 , 

L 10, and using K, it forms K,(r n ||r, 2 ). Proxy-1, 16, then sends, 100, g ul , g ylx2y2 , K,(rn ||r 12 ), and 

in || 

the received K(c 2 1| ci) to end user station- 1, 10. 

Ms Referring to Fig. 8, end user station- 1, 10, computes, 102, Ki= (g ul ) xl and the session key 

K=(g y,x2y2 ) xl from the values just received from proxy-1, 16. Note that both end user station- 1, 10 
and end user station-2 now have the completely computed end-to-end session key, K. The rest of 
the protocol consists in confirming, if desired, that the participants are all legitimate parties to the 
formation of the session key. End user station- 1, 10, may now verify 106 that its challenge rn to 
20 proxy-1, and ci its end-to-end challenge to end user station-2, 12, are confirmed by having 
received back the challenge words that it originally sent out. If the correct responses are not 
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present, the protocol is cancelled 108 with error messages sent to the participants. If the challenge 
responses are correct, end user station- 1 uses local session key Ki to send, 110, n 2 to proxy- 1 
confirming to proxy- 1, 16 that it is in fact end user station- 1, 10, and sending, 1 10, K(ci || c 2 ) to 
proxy- 1,10 for forwarding on to end user station-2, 12, via proxy-2, 18. 

It will be noted that the proxies never have the complete end-to-end session key in their 
possession; they only have the intermediate computations that are passed on to the end user 
stations of the session key. However, while the chance is small, a proxy may carry out a man-in 
the middle attack by impersonating a legitimate user station and establishing two "bogus" secure 
connections to each of participating end user stations. To prevent this attack , an end user 
station, can request the other end user station to sign the response of the end-to-end challenge 
K(c 2 1| C x ) and/or K(c 2 ) . If the proxy launched the man in the middle attack, the resultant session 
key K used for communication will be different from the one used to compute the response, and 
such an attack will be detected. Because the proxy has no idea whether an end user's station has 
the power to do signature verification, the proxy will be forced to faithfully provide its service . 

In the embodiment described above, it has been assumed that either of the end user 
stations 10, 12 may lack the facilities for computing and authenticating the secure session key, K, 
and had to rely on their proxies 16, 18. However, the teachings of the invention are not limited to 
this particular configuration of end user stations. In a second embodiment, one of the end stations 
may have adequate capability to both perform the necessary computations and to perform the 
authentication process. For convenience , but not as a limitation, this end station is represented as 
a "desk computer" , and the end user station incapable of performing all the necessary steps is 
represented as a "hand held" device. 
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It will be understood that the basic protocol followed in this second embodiment follows 
the same steps as described in the first embodiment, but because of the capability of the end user 
labeled "desk computer", certain steps are compressed as this end user can provide some of the 
functions previously specified as a proxy function. The sequence of steps in implementing the 
protocol depends upon whether the request for communication is initiated by the "desk top 
computer" or the "hand held device". The flow charts of Figs. 10- 14 and 15-18 illustrate these 
two configurations for performing end-to-end communication. While the overall protocol is 
basically the same whichever end station initiates the communication, the individual steps depend 
upon the originating station, and both routines will be described below. 

Referring to Fig. 9, a hand held communication device ,112, of limited computation 
power communicates, 113, with a desk top station 116 that does have adequate communication 
power to support generating a session key . This embodiment discloses an auxiliary proxy, 1 14, 
which interfaces with the hand held device 1 12 and the desk top computer 1 16, and which 
provides the computation power lacking in the hand held device 1 12. 

Referring to Fig. 10, the hand held device, 112, selects secret number X\ and the primitive 
root g. It computes ,120, g xl and encrypts g xl with password PWi,122. It also generates ,124, a 
challenge ci for desk top computer 116, and generates 126 a challenge rn to the proxy 1 14. 
It then transfers, 128, PWi(g xl ), ci, and r n to proxy, 1 14. 

Referring to Fig. 11, proxy, 1 14, receives ,130, PWi(g xi ), ci, and r n and , 132 ,decrypts 
g xl under PWj. Proxy, 1 14, picks secret number yi and computes , 134 , g xlyl . It concatenates Ci 
and g xlyl , Ci ||g xlyI and digitally signs, 138, the combination. It retrieves 140 its certificate and 
transmits 142 the digitally signed data, and the certificate to the desk top computer, 1 16. 
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Referring to Fig. 12, the desk top computer, 1 16, receives signed ci ||g xlyl and certificate 
from the proxy, 144, and verifies ,116 ,that the digital signature is valid. If validation, 146, fails, 
and error message, 147, is sent to the other parties of the system, and the protocol is aborted. If 
validation is approved, the desk top computer, 1 16, selects, 148, its secret number x 2 , and 
computes 149, the session key K= (g xlyl ) x2 . It then picks its end-to-end challenge c 2 , digitally signs 
g^ and sends ,152 ,the signed message, its certificate and K(ci ||c 2 ) to proxy 1 14. 

Referring to Fig. 13, the proxy, 1 14, receives the signed message, g* 2 . It ,156, checks the 
validity of the signed message, and if it is not valid, error messages are sent, 158, to the end users, 
and the protocol stops. If the signature is valid, the proxy 1 14 selects another key u, and r !2 and 
computes 160, interim key g u and local session key K t = (g xl ) u . The proxy, 1 14, sends ,162, 
K(d |t o 2 ), Ki(r„ || r 12 ), (g^)* 1 , and g u to the hand held device 1 12. 

Fig. 14 shows the hand held device 112 receives 159, g u , g^and K(ci || c 2 ). The hand 
held device, now can compute the end-to-end session key K=(g x2yl ) xl , local session key Ki=(g u ) xl , 
and can securely communicate with the desk top computer, 1 16, on communication channel 113. 

In the other scenario, where the desk top computer 1 16 initiates the request for 
communication, Fig. 15 illustrates the desk top computer, 1 16, selects, 164, g, challenge Ci, and 
secret number xi. It signs (g xl || Ci), and transmits, 168, it to proxy, 1 14, along with its certificate. 

Referring to Fig. 16, proxy ,114, receives ,170, signed (g x1 ||ci). Checking ,172, the 
validity of the signed message; if it is not valid, an error message is generated ,174, and sent to all 
parties. If it is valid, proxy ,114, the proxy selects secret number u and secret number y 2 . It also 
selects challenge r 22 , and 176 calculates g u and g xly2 . Proxy 1 14 sends ,178, PW 2 (g u ) and 
PW 2 (g xly2 ), challenge r 22 and Ci to the hand held device, 1 12 . 
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In Fig. 17, the hand held device, 1 12, selects, 180, a secret number x 2 , and calculates g* 2 , 
182. It also calculates, 184, K=(g xly2 ) x2 and K 2 =(g u ) x2 - It P^ks challenge r 2l , sends, 186, to 
proxy, g* 2 , K 2 (r 22 || r 2 i) , and K(ci || c 2 ). Proxy calculates (g* 2 / 2 and digitaUy signs g* 2 * 2 and 
retrieves its certificate, 190 . It then sends the signature, its certificate, and K(ci||c 2 ) 192 to the 
5 desk top computer, 1 16. 

In Fig. 18, the desk top computer, 1 16, receives digitally signed g* 2 * 2 , the certificate, and 
K(ci || c 2 ). It validates, 196 ,the received information, and if validation fails, sends error messages 
to the parties, 198. If validation is approved, the desk top computer can now compute 200 the 
session key, K^g^f. 
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f |0 The invention has been disclosed in terms of preferred embodiments, but it will be 
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*p understood that variations and modifications can be effected within the scope and spirit of the 
^3 invention. 
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